Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2020-09-04 10:52:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Fri Sep 4 10:52:47 2020 rev:190 rq:830871 version:3.5.7 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2020-08-12 10:56:24.316740607 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.3399/postfix.changes 2020-09-04 10:52:56.950425258 +0200 @@ -1,0 +2,21 @@ +Mon Aug 31 13:38:04 UTC 2020 - Michael Ströder <[email protected]> + +- Update to 3.5.7 + * Fixed random certificate verification failures with + "smtp_tls_connection_reuse = yes", because tlsproxy(8) was using + the wrong global TLS context for connections that use DANE or + non-DANE trust anchors. + +------------------------------------------------------------------- +Tue Aug 25 13:54:40 UTC 2020 - Thorsten Kukuk <[email protected]> + +- Move ldap into an own sub-package like all other databases +- Move manual pages to correct sub-package + +------------------------------------------------------------------- +Fri Aug 21 08:44:22 UTC 2020 - Thorsten Kukuk <[email protected]> + +- Use sysusers.d to create system accounts +- Remove wrong %config for systemd directory content + +------------------------------------------------------------------- Old: ---- postfix-3.5.6.tar.gz postfix-3.5.6.tar.gz.asc New: ---- postfix-3.5.7.tar.gz postfix-3.5.7.tar.gz.asc postfix-user.conf postfix-vmail-user.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.2ezBId/_old 2020-09-04 10:52:58.194425924 +0200 +++ /var/tmp/diff_new_pack.2ezBId/_new 2020-09-04 10:52:58.198425927 +0200 @@ -31,15 +31,17 @@ %define pf_html_directory %{_docdir}/%{name}-doc/html %define pf_sample_directory %{_docdir}/%{name}-doc/samples %define pf_data_directory %{_localstatedir}/lib/%{name} +%if 0%{?suse_version} < 1330 %define pf_uid 51 %define pf_gid 51 %define maildrop_gid 59 -%define mail_group mail -%define conf_backup_dir %{_localstatedir}/adm/backup/%{name} %define vmusr vmail %define vmgid 303 %define vmid 303 %define vmdir /srv/maildirs +%endif +%define mail_group mail +%define conf_backup_dir %{_localstatedir}/adm/backup/%{name} %define unitdir %{_prefix}/lib/systemd #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} @@ -52,8 +54,9 @@ %bcond_with lmdb %bcond_with libnsl %endif +%bcond_without ldap Name: postfix -Version: 3.5.6 +Version: 3.5.7 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -67,6 +70,8 @@ Source4: postfix.keyring Source10: %{name}-rpmlintrc Source11: check_mail_queue +Source12: postfix-user.conf +Source13: postfix-vmail-user.conf Patch1: %{name}-no-md5.patch Patch2: pointer_to_literals.patch Patch3: ipv6_disabled.patch @@ -86,7 +91,9 @@ BuildRequires: libopenssl-devel BuildRequires: m4 BuildRequires: mysql-devel +%if %{with ldap} BuildRequires: openldap2-devel +%endif BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: postgresql-devel @@ -97,7 +104,6 @@ Requires(post): permissions Requires(pre): %fillup_prereq Requires(pre): permissions -Requires(pre): shadow Conflicts: exim Conflicts: sendmail Provides: smtp_daemon @@ -109,9 +115,13 @@ BuildRequires: libnsl-devel %endif %if 0%{?suse_version} >= 1330 +BuildRequires: sysuser-tools Requires: system-user-nobody Requires: group(%{mail_group}) Requires(pre): group(%{mail_group}) +%sysusers_requires +%else +Requires(pre): shadow %endif %description @@ -138,7 +148,11 @@ Summary: Postfix plugin to support MySQL maps Group: Productivity/Networking/Email/Servers Requires(pre): %{name} = %{version} +%if 0%{?suse_version} >= 1330 +%sysusers_requires +%else Requires(pre): shadow +%endif %description mysql Postfix plugin to support MySQL maps. This library will be loaded by @@ -154,6 +168,18 @@ by starting %{name} if you'll access a postmap which is stored in PostgreSQL. +%if %{with ldap} +%package ldap +Summary: Postfix LDAP map support +Group: Productivity/Networking/Email/Servers +Requires: %{name} = %{version} +Provides: postfix:/usr/lib/postfix/postfix-ldap.so + +%description ldap +This provides support for LDAP maps in Postfix. If you plan to use LDAP +maps with Postfix, you need this. +%endif + %if %{with lmdb} %package lmdb Summary: Postfix plugin to support LMDB maps @@ -197,8 +223,10 @@ export AUXLIBS="${AUXLIBS} -lssl -lcrypto" fi # +%if %{with ldap} export CCARGS="${CCARGS} -DHAS_LDAP -DLDAP_DEPRECATED=1 -DUSE_LDAP_SASL" export AUXLIBS_LDAP="-lldap -llber" +%endif # export CCARGS="${CCARGS} -DHAS_PCRE" export AUXLIBS_PCRE="-lpcre" @@ -240,13 +268,14 @@ config_directory=%{_sysconfdir}/%{name} \ SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" make %{?_smp_mflags} +%if 0%{?suse_version} >= 1330 +# Create postfix user +%sysusers_generate_pre %{SOURCE12} postfix +%sysusers_generate_pre %{SOURCE13} vmail +%endif # --------------------------------------------------------------------------- %install -groupadd -g %{pf_gid} -o -r %{name} 2> /dev/null || : -groupadd -g %{maildrop_gid} -o -r maildrop 2> /dev/null || : -useradd -r -o -g %{name} -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} %{name} 2> /dev/null || : -usermod -a -G %{maildrop_gid},%{mail_group} %{name} 2> /dev/null || : mkdir -p %{buildroot}/%{_libdir} mkdir -p %{buildroot}%{_sysconfdir}/%{name} cp conf/* %{buildroot}%{_sysconfdir}/%{name} @@ -378,8 +407,22 @@ done # --------------------------------------------------------------------------- install -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/ +%if 0%{?suse_version} >= 1330 +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ +install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/ +%endif +%if 0%{?suse_version} >= 1330 +%pre -f postfix.pre +%else %pre +getent group %{name} >/dev/null || groupadd -g %{pf_gid} -o -r %{name} +getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop +getent passwd %{name} >/dev/null || useradd -r -o -g %{name} -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} %{name} +usermod -a -G %{maildrop_gid},%{mail_group} %{name} +%endif + %service_add_pre %{name}.service VERSIONTEST=$(test -x usr/sbin/postconf && usr/sbin/postconf proxy_read_maps 2>/dev/null || :) @@ -390,12 +433,11 @@ exit 1 fi fi -getent group %{name} >/dev/null || groupadd -g %{pf_gid} -o -r %{name} -getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop -getent passwd %{name} >/dev/null || useradd -r -o -g %{name} -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} %{name} -usermod -a -G %{maildrop_gid},%{mail_group} %{name} # --------------------------------------------------------------------------- +%if 0%{?suse_version} >= 1330 +%pre mysql -f vmail.pre +%else %pre mysql #echo "PARAM_pre: "$1 # on `rpm -ivh` PARAM is 1 @@ -409,6 +451,7 @@ useradd -c "maildirs chef" -d %{vmdir} -g %{vmusr} -u %{vmid} -r -s /bin/false %{vmusr} fi fi +%endif # --------------------------------------------------------------------------- %preun @@ -516,7 +559,6 @@ %config(noreplace) %{_sysconfdir}/%{name}/canonical %config(noreplace) %{_sysconfdir}/%{name}/header_checks %config(noreplace) %{_sysconfdir}/%{name}/helo_access -%config(noreplace) %{_sysconfdir}/%{name}/ldap_aliases.cf %config(noreplace) %{_sysconfdir}/%{name}/main.cf %config(noreplace) %{_sysconfdir}/%{name}/master.cf %attr(0750,root,root) %config %{_sysconfdir}/%{name}/post-install @@ -543,7 +585,7 @@ %dir %{_sysconfdir}/%{name}/ssl/certs %{_sysconfdir}/%{name}/ssl/cacerts %dir %{pf_shlib_directory}/systemd -%config %attr(0755,root,root) %{pf_shlib_directory}/systemd/* +%attr(0755,root,root) %{pf_shlib_directory}/systemd/* %{_unitdir}/%{name}.service %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postdrop %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postqueue @@ -571,7 +613,6 @@ %{_libexecdir}/sendmail %dir %{pf_shlib_directory} %{pf_shlib_directory}/*[^.so] -%{pf_shlib_directory}/%{name}-ldap.so %{pf_shlib_directory}/%{name}-pcre.so %{pf_shlib_directory}/lib%{name}-dns.so %{pf_shlib_directory}/lib%{name}-global.so @@ -583,6 +624,10 @@ %{conf_backup_dir} %dir %attr(0700,%{name},root) %{pf_data_directory} +%exclude %{_mandir}/man5/ldap_table.5* +%exclude %{_mandir}/man5/lmdb_table.5* +%exclude %{_mandir}/man5/mysql_table.5* +%exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} %dir %attr(0700,%{name},root) /%{pf_queue_directory}/active @@ -598,6 +643,9 @@ %dir %attr(0700,%{name},root) /%{pf_queue_directory}/trace %dir %attr(0730,%{name},maildrop) /%{pf_queue_directory}/maildrop %dir %attr(0710,%{name},maildrop) /%{pf_queue_directory}/public +%if 0%{?suse_version} >= 1330 +%{_sysusersdir}/postfix-user.conf +%endif %files devel %{_includedir}/%{name}/ @@ -611,13 +659,26 @@ %config(noreplace) %attr(640, root, %{name}) %{_sysconfdir}/%{name}/*_maps.cf %config(noreplace) %{_sysconfdir}/%{name}/main.cf-mysql %{pf_shlib_directory}/%{name}-mysql.so +%{_mandir}/man5/mysql_table.5%{?ext_man} +%if 0%{?suse_version} >= 1330 +%{_sysusersdir}/postfix-vmail-user.conf +%endif %files postgresql %{pf_shlib_directory}/%{name}-pgsql.so +%{_mandir}/man5/pgsql_table.5%{?ext_man} + +%if %{with ldap} +%files ldap +%config(noreplace) %{_sysconfdir}/%{name}/ldap_aliases.cf +%{pf_shlib_directory}/%{name}-ldap.so +%{_mandir}/man5/ldap_table.5%{?ext_man} +%endif %if %{with lmdb} %files lmdb %{pf_shlib_directory}/%{name}-lmdb.so +%{_mandir}/man5/lmdb_table.5%{?ext_man} %endif %changelog ++++++ postfix-3.5.6.tar.gz -> postfix-3.5.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.6/HISTORY new/postfix-3.5.7/HISTORY --- old/postfix-3.5.6/HISTORY 2020-07-26 20:28:09.000000000 +0200 +++ new/postfix-3.5.7/HISTORY 2020-08-30 16:15:56.000000000 +0200 @@ -24819,3 +24819,18 @@ the system-wide OpenSSL configuration of allowed TLS protocol versions, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry. File: tls/tls_server.c. + +20200821 + + Bugfix (introduced: Postfix 3.4, already fixed in Postfix + 3.6): tlsproxy(8) was using the wrong DANE macro for + connections with DANE trust anchors or with non-DANE trust + anchors (WTF: Thorsten Habich found this bug in the use + case that has nothing to do with DANE). This resulted in a + global certificate verify function pointer race, between + TLS handshakes that use TLS trust achors and handshakes + that use PKI. No memory was corrupted in the course of all + this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c. + + Cleanup: the posttls-finger '-X' option reported a false + conflict with '-r'. File: posttls-finger/posttls-finger.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.6/src/global/mail_version.h new/postfix-3.5.7/src/global/mail_version.h --- old/postfix-3.5.6/src/global/mail_version.h 2020-07-26 20:14:48.000000000 +0200 +++ new/postfix-3.5.7/src/global/mail_version.h 2020-08-30 15:53:35.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200726" -#define MAIL_VERSION_NUMBER "3.5.6" +#define MAIL_RELEASE_DATE "20200830" +#define MAIL_VERSION_NUMBER "3.5.7" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.6/src/posttls-finger/posttls-finger.c new/postfix-3.5.7/src/posttls-finger/posttls-finger.c --- old/postfix-3.5.6/src/posttls-finger/posttls-finger.c 2019-02-12 14:17:45.000000000 +0100 +++ new/postfix-3.5.7/src/posttls-finger/posttls-finger.c 2020-08-22 01:17:03.000000000 +0200 @@ -1988,7 +1988,7 @@ msg_fatal("bad '-a' option value: %s", state->options.addr_pref); #ifdef USE_TLS - if (state->tlsproxy_mode && state->reconnect) + if (state->tlsproxy_mode && state->reconnect >= 0) msg_fatal("The -X and -r options are mutually exclusive"); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.6/src/tlsproxy/tlsproxy.c new/postfix-3.5.7/src/tlsproxy/tlsproxy.c --- old/postfix-3.5.6/src/tlsproxy/tlsproxy.c 2020-06-20 20:55:59.000000000 +0200 +++ new/postfix-3.5.7/src/tlsproxy/tlsproxy.c 2020-08-22 01:37:21.000000000 +0200 @@ -998,8 +998,17 @@ state->client_start_props->fd = state->ciphertext_fd; /* These predicates and warning belong inside tls_client_start(). */ if (!tls_dane_avail() /* mandatory side effects!! */ - &&TLS_DANE_BASED(state->client_start_props->tls_level)) - msg_warn("%s: DANE requested, but not available", + + /* + * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client has + * already converted its DANE TLSA records into trust anchors, and + * therefore TLS_DANE_HASTA() will be true instead. That exercises the + * code path that updates the shared SSL_CTX with custom X.509 + * verification callbacks for trust anchors. + */ + &&TLS_DANE_HASTA(state->client_start_props->dane)) + msg_warn("%s: DANE or local trust anchor based chain" + " verification requested, but not available", state->client_start_props->namaddr); else state->tls_context = tls_client_start(state->client_start_props); @@ -1427,7 +1436,15 @@ } state->appl_state = tlsp_client_init(state->tls_params, state->client_init_props, - TLS_DANE_BASED(state->client_start_props->tls_level)); + + /* + * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client + * has already converted its DANE TLSA records into trust anchors, + * and therefore TLS_DANE_HASTA() will be true instead. That + * exercises the code path that updates the shared SSL_CTX with + * custom X.509 verification callbacks for trust anchors. + */ + TLS_DANE_HASTA(state->client_start_props->dane) != 0); ready = state->appl_state != 0; break; case TLS_PROXY_FLAG_ROLE_SERVER: ++++++ postfix-user.conf ++++++ # Type Name ID GECOS [HOME] g maildrop 59 - - g postfix 51 - - u postfix 51 "Postfix Daemon" /var/spool/postfix m postfix maildrop m postfix mail ++++++ postfix-vmail-user.conf ++++++ # Type Name ID GECOS [HOME] g vmail - - - u vmail - "Virtual Mail User" /srv/maildirs
